renma 0.16.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (182) hide show
  1. package/CHANGELOG.md +157 -1
  2. package/README.md +219 -748
  3. package/architecture.md +533 -0
  4. package/design.md +469 -0
  5. package/dist/agent-skills.d.ts +1 -1
  6. package/dist/agent-skills.d.ts.map +1 -1
  7. package/dist/agent-skills.js +28 -8
  8. package/dist/agent-skills.js.map +1 -1
  9. package/dist/catalog.d.ts +1 -1
  10. package/dist/catalog.d.ts.map +1 -1
  11. package/dist/catalog.js +120 -12
  12. package/dist/catalog.js.map +1 -1
  13. package/dist/cli-help.d.ts +15 -9
  14. package/dist/cli-help.d.ts.map +1 -1
  15. package/dist/cli-help.js +32 -9
  16. package/dist/cli-help.js.map +1 -1
  17. package/dist/cli.d.ts.map +1 -1
  18. package/dist/cli.js +162 -40
  19. package/dist/cli.js.map +1 -1
  20. package/dist/commands/bom.d.ts +6 -3
  21. package/dist/commands/bom.d.ts.map +1 -1
  22. package/dist/commands/bom.js +27 -7
  23. package/dist/commands/bom.js.map +1 -1
  24. package/dist/commands/catalog.d.ts +1 -1
  25. package/dist/commands/catalog.d.ts.map +1 -1
  26. package/dist/commands/catalog.js +11 -4
  27. package/dist/commands/catalog.js.map +1 -1
  28. package/dist/commands/ci-report.d.ts.map +1 -1
  29. package/dist/commands/ci-report.js +18 -5
  30. package/dist/commands/ci-report.js.map +1 -1
  31. package/dist/commands/diff.js +8 -2
  32. package/dist/commands/diff.js.map +1 -1
  33. package/dist/commands/graph.d.ts +6 -2
  34. package/dist/commands/graph.d.ts.map +1 -1
  35. package/dist/commands/graph.js +30 -14
  36. package/dist/commands/graph.js.map +1 -1
  37. package/dist/commands/inspect.d.ts.map +1 -1
  38. package/dist/commands/inspect.js +2 -0
  39. package/dist/commands/inspect.js.map +1 -1
  40. package/dist/commands/ownership.d.ts +4 -3
  41. package/dist/commands/ownership.d.ts.map +1 -1
  42. package/dist/commands/ownership.js +27 -23
  43. package/dist/commands/ownership.js.map +1 -1
  44. package/dist/commands/readiness.d.ts +2 -1
  45. package/dist/commands/readiness.d.ts.map +1 -1
  46. package/dist/commands/readiness.js +105 -36
  47. package/dist/commands/readiness.js.map +1 -1
  48. package/dist/commands/scaffold.d.ts +3 -0
  49. package/dist/commands/scaffold.d.ts.map +1 -1
  50. package/dist/commands/scaffold.js +28 -2
  51. package/dist/commands/scaffold.js.map +1 -1
  52. package/dist/commands/suggest-metadata.d.ts.map +1 -1
  53. package/dist/commands/suggest-metadata.js +56 -8
  54. package/dist/commands/suggest-metadata.js.map +1 -1
  55. package/dist/commands/suggest-semantic-split.js +3 -3
  56. package/dist/commands/suggest-semantic-split.js.map +1 -1
  57. package/dist/commands/trust-graph.d.ts.map +1 -1
  58. package/dist/commands/trust-graph.js +12 -0
  59. package/dist/commands/trust-graph.js.map +1 -1
  60. package/dist/config.d.ts.map +1 -1
  61. package/dist/config.js +10 -3
  62. package/dist/config.js.map +1 -1
  63. package/dist/dependency-resolution.d.ts +6 -0
  64. package/dist/dependency-resolution.d.ts.map +1 -0
  65. package/dist/dependency-resolution.js +11 -0
  66. package/dist/dependency-resolution.js.map +1 -0
  67. package/dist/diagnostic-ids.d.ts +8 -0
  68. package/dist/diagnostic-ids.d.ts.map +1 -1
  69. package/dist/diagnostic-ids.js +8 -0
  70. package/dist/diagnostic-ids.js.map +1 -1
  71. package/dist/discovery.d.ts +33 -0
  72. package/dist/discovery.d.ts.map +1 -1
  73. package/dist/discovery.js +178 -80
  74. package/dist/discovery.js.map +1 -1
  75. package/dist/markdown.d.ts.map +1 -1
  76. package/dist/markdown.js +15 -0
  77. package/dist/markdown.js.map +1 -1
  78. package/dist/model.d.ts +17 -1
  79. package/dist/model.d.ts.map +1 -1
  80. package/dist/model.js +4 -1
  81. package/dist/model.js.map +1 -1
  82. package/dist/quality-profile.d.ts +91 -0
  83. package/dist/quality-profile.d.ts.map +1 -0
  84. package/dist/quality-profile.js +91 -0
  85. package/dist/quality-profile.js.map +1 -0
  86. package/dist/repeated-context.d.ts.map +1 -1
  87. package/dist/repeated-context.js +38 -83
  88. package/dist/repeated-context.js.map +1 -1
  89. package/dist/repository-boundary.d.ts +30 -0
  90. package/dist/repository-boundary.d.ts.map +1 -0
  91. package/dist/repository-boundary.js +116 -0
  92. package/dist/repository-boundary.js.map +1 -0
  93. package/dist/repository-evidence.d.ts +2 -0
  94. package/dist/repository-evidence.d.ts.map +1 -1
  95. package/dist/repository-evidence.js +6 -4
  96. package/dist/repository-evidence.js.map +1 -1
  97. package/dist/repository-paths.d.ts +19 -2
  98. package/dist/repository-paths.d.ts.map +1 -1
  99. package/dist/repository-paths.js +123 -14
  100. package/dist/repository-paths.js.map +1 -1
  101. package/dist/rules.d.ts +2 -0
  102. package/dist/rules.d.ts.map +1 -1
  103. package/dist/rules.js +322 -256
  104. package/dist/rules.js.map +1 -1
  105. package/dist/scanner.d.ts.map +1 -1
  106. package/dist/scanner.js +5 -1
  107. package/dist/scanner.js.map +1 -1
  108. package/dist/security-diagnostics.d.ts.map +1 -1
  109. package/dist/security-diagnostics.js +95 -30
  110. package/dist/security-diagnostics.js.map +1 -1
  111. package/dist/security-diff.d.ts +5 -2
  112. package/dist/security-diff.d.ts.map +1 -1
  113. package/dist/security-diff.js +20 -4
  114. package/dist/security-diff.js.map +1 -1
  115. package/dist/security-policy-inventory.d.ts +15 -3
  116. package/dist/security-policy-inventory.d.ts.map +1 -1
  117. package/dist/security-policy-inventory.js +123 -26
  118. package/dist/security-policy-inventory.js.map +1 -1
  119. package/dist/security-policy.d.ts +7 -0
  120. package/dist/security-policy.d.ts.map +1 -1
  121. package/dist/security-policy.js +70 -7
  122. package/dist/security-policy.js.map +1 -1
  123. package/dist/security-posture.d.ts.map +1 -1
  124. package/dist/security-posture.js +2 -1
  125. package/dist/security-posture.js.map +1 -1
  126. package/dist/skill-migration.js +2 -0
  127. package/dist/skill-migration.js.map +1 -1
  128. package/dist/static-support.d.ts +13 -0
  129. package/dist/static-support.d.ts.map +1 -0
  130. package/dist/static-support.js +284 -0
  131. package/dist/static-support.js.map +1 -0
  132. package/dist/token-estimator.d.ts +21 -0
  133. package/dist/token-estimator.d.ts.map +1 -0
  134. package/dist/token-estimator.js +84 -0
  135. package/dist/token-estimator.js.map +1 -0
  136. package/dist/trust-graph.d.ts +3 -3
  137. package/dist/trust-graph.d.ts.map +1 -1
  138. package/dist/trust-graph.js +76 -21
  139. package/dist/trust-graph.js.map +1 -1
  140. package/dist/types.d.ts +7 -2
  141. package/dist/types.d.ts.map +1 -1
  142. package/docs/README.md +61 -0
  143. package/docs/advanced-skill-authoring.md +147 -0
  144. package/docs/agent-skills-compatibility.md +508 -0
  145. package/docs/authoring-guide.md +382 -0
  146. package/docs/context-conflict-diagnostics.md +32 -0
  147. package/docs/context-language-diagnostics.md +99 -0
  148. package/docs/context-lens.md +253 -0
  149. package/docs/context-lifecycle-diagnostics.md +55 -0
  150. package/docs/diagnostics.md +406 -0
  151. package/docs/metadata-budget.md +14 -0
  152. package/docs/quality-profile.md +123 -0
  153. package/docs/repository-context-bom.md +172 -0
  154. package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
  155. package/docs/schemas/trust-graph-v2.schema.json +301 -0
  156. package/docs/security-policy.md +354 -0
  157. package/docs/trust-graph.md +47 -0
  158. package/docs/user-manual.md +842 -0
  159. package/examples/context-lens/README.md +101 -0
  160. package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
  161. package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
  162. package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
  163. package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
  164. package/examples/context-repo/README.md +148 -0
  165. package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
  166. package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
  167. package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
  168. package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
  169. package/examples/context-repo/renma.config.json +12 -0
  170. package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
  171. package/examples/context-repo/tools/appium/README.md +14 -0
  172. package/examples/github-actions/renma-ci-report.yml +36 -0
  173. package/examples/interactive-placeholder/README.md +104 -0
  174. package/examples/interactive-placeholder/assets/template.txt +1 -0
  175. package/examples/interactive-placeholder/renma.config.json +6 -0
  176. package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
  177. package/examples/interactive-placeholder/tools/README.md +48 -0
  178. package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
  179. package/package.json +10 -1
  180. package/plan-discovery.md +749 -0
  181. package/plan.md +90 -0
  182. package/scripts/verify-package.mjs +104 -0
package/plan.md ADDED
@@ -0,0 +1,90 @@
1
+ # Renma Roadmap
2
+
3
+ ## Current Product Definition
4
+
5
+ Renma 0.18.0 is the current shipped baseline: a Git-native context repository
6
+ and deterministic governance CLI for agent-consumable Skills, Context Lenses,
7
+ Context Assets, local support resources, policies, ownership, lifecycle,
8
+ dependencies, and review evidence.
9
+
10
+ ```text
11
+ Skill = focused, bounded workflow entrypoint
12
+ Context Lens = purpose-oriented interpretation over Context Assets
13
+ Context Asset = independently owned source-of-truth knowledge
14
+ ```
15
+
16
+ Use platform-native guidance for general Skill authoring, then use Renma for
17
+ repository-specific governance. Renma follows the deterministic boundary:
18
+
19
+ ```text
20
+ LLM proposes. Renma verifies. Human approves.
21
+ ```
22
+
23
+ ## Implemented 0.18.0 Baseline
24
+
25
+ The shipped baseline includes:
26
+
27
+ - focused workflow Skills with explicit usage boundaries rather than thin
28
+ routing-only entrypoints;
29
+ - progressive disclosure through static, reviewable references;
30
+ - first-class Skill-local `references/`, `profiles/`, `examples/`, `scripts/`,
31
+ and `assets/` resources under `skills/**` and `.agents/skills/**`;
32
+ - deterministic ownership, reachability, helper-command, and static support
33
+ relationships, including ambiguity that fails closed;
34
+ - repository-bounded discovery that never follows leaf or directory symlinks,
35
+ with actionable evidence for referenced unusable paths;
36
+ - canonical Agent Skills compatibility, migration guidance, scaffold, inspect,
37
+ and non-editing suggestion workflows;
38
+ - catalog, graph, ownership, Readiness, semantic diff, CI, diagnostics v2, and
39
+ review-bundle projections;
40
+ - security diagnostics, reusable profiles, effective-policy inventory, and
41
+ deterministic compositional policy provenance; and
42
+ - Repository Context BOM v2 and Trust Graph v2 as the first supported
43
+ long-term contracts and the only emitted BOM/Trust Graph schemas.
44
+
45
+ Repository Context BOM v2 is a declared repository manifest, not a record of
46
+ what an LLM consumed. Trust Graph v2 is deterministic review evidence, not a
47
+ subjective score or runtime enforcement system.
48
+
49
+ Historical release detail belongs in [CHANGELOG.md](CHANGELOG.md). Contract
50
+ details live in [architecture.md](architecture.md), [design.md](design.md), and
51
+ the focused documents under [docs/](docs/README.md).
52
+
53
+ ## Stable Product Boundaries
54
+
55
+ Renma owns repository discovery and parsing, normalized static evidence,
56
+ validation, deterministic projections, and review-oriented authoring support.
57
+ It does not own live Skill or Context selection, prompt assembly, execution,
58
+ runtime telemetry, hosted gateways, automatic semantic rewriting, or automatic
59
+ policy weakening.
60
+
61
+ ## Deferred Skill-to-Skill Discovery Design
62
+
63
+ Graph-based Skill-to-Skill route discovery is not a 0.18.0 feature and has no
64
+ assigned release. The exploratory design in
65
+ [plan-discovery.md](plan-discovery.md) discusses possible `routes_to` metadata,
66
+ discovery aliases, generated routing indexes, and a `skill-index` projection.
67
+ None is an implemented contract.
68
+
69
+ Any future proposal must be reconsidered against the focused-workflow model
70
+ introduced in 0.18.0. It must remain deterministic and static, avoid runtime
71
+ selection, preserve source Skills, and receive an explicit version and contract
72
+ decision before implementation.
73
+
74
+ ## Later Candidates
75
+
76
+ Future product decisions may consider imported external consumed-context
77
+ evidence, additive projections over stable evidence, optional semantic-review
78
+ helpers, multi-repository workflows, or review visualizations. These are not
79
+ commitments and have no assigned version.
80
+
81
+ ## Explicitly Out Of Scope
82
+
83
+ - accepting task text and automatically selecting or ranking a Skill;
84
+ - fuzzy, embedding, or LLM-based runtime routing;
85
+ - runtime Context loading, injection, prompt assembly, or execution;
86
+ - runtime telemetry collection or hidden consumed-context import;
87
+ - automatic Skill-body rewriting or policy relaxation;
88
+ - arbitrary Skill roots without a reviewed compatibility decision; and
89
+ - advertising deferred `routes_to`, `skill-index`, aliases, or generated
90
+ routing indexes as current behavior.
@@ -0,0 +1,104 @@
1
+ import { mkdtemp, readFile, rm } from "node:fs/promises";
2
+ import os from "node:os";
3
+ import path from "node:path";
4
+ import { spawnSync } from "node:child_process";
5
+
6
+ const cache = await mkdtemp(path.join(os.tmpdir(), "renma-npm-pack-"));
7
+
8
+ try {
9
+ const packed = spawnSync(
10
+ "npm",
11
+ ["pack", "--dry-run", "--json", "--cache", cache],
12
+ { cwd: process.cwd(), encoding: "utf8" },
13
+ );
14
+ if (packed.error) throw packed.error;
15
+ if (packed.status !== 0) {
16
+ throw new Error(packed.stderr.trim() || "npm pack --dry-run failed.");
17
+ }
18
+
19
+ const reports = JSON.parse(packed.stdout);
20
+ const report = reports[0];
21
+ if (!report || !Array.isArray(report.files)) {
22
+ throw new Error("npm pack --dry-run returned no package file list.");
23
+ }
24
+ const files = new Set(report.files.map((file) => file.path));
25
+
26
+ for (const required of [
27
+ "package.json",
28
+ "README.md",
29
+ "dist/index.js",
30
+ "docs/trust-graph.md",
31
+ "docs/schemas/repository-context-bom-v2.schema.json",
32
+ "docs/schemas/trust-graph-v2.schema.json",
33
+ ]) {
34
+ requirePackagedPath(files, required);
35
+ }
36
+
37
+ const readme = await readFile("README.md", "utf8");
38
+ for (const rawTarget of markdownLinkTargets(readme)) {
39
+ const target = repositoryRelativeTarget(rawTarget);
40
+ if (!target) continue;
41
+ requirePackagedPath(files, target);
42
+ }
43
+
44
+ for (const forbiddenPrefix of [
45
+ "node_modules/",
46
+ "dist-test/",
47
+ "test/",
48
+ "src/",
49
+ "coverage/",
50
+ ".git/",
51
+ ]) {
52
+ if ([...files].some((file) => file.startsWith(forbiddenPrefix))) {
53
+ throw new Error(`Package unexpectedly includes ${forbiddenPrefix}`);
54
+ }
55
+ }
56
+ for (const forbidden of [
57
+ "examples/interactive-placeholder/workspace/output.txt",
58
+ "npm-debug.log",
59
+ ]) {
60
+ if (files.has(forbidden)) {
61
+ throw new Error(`Package unexpectedly includes ${forbidden}`);
62
+ }
63
+ }
64
+
65
+ process.stdout.write(
66
+ `Verified ${files.size} packaged files and every README-relative target.\n`,
67
+ );
68
+ } finally {
69
+ await rm(cache, { recursive: true, force: true });
70
+ }
71
+
72
+ function requirePackagedPath(files, target) {
73
+ const normalized = path.posix.normalize(target).replace(/^\.\//, "");
74
+ const present =
75
+ files.has(normalized) ||
76
+ [...files].some((file) => file.startsWith(`${normalized}/`));
77
+ if (!present) {
78
+ throw new Error(`Packaged README target is missing: ${target}`);
79
+ }
80
+ }
81
+
82
+ function markdownLinkTargets(markdown) {
83
+ return [...markdown.matchAll(/!?\[[^\]]*\]\(([^)]+)\)/g)].map(
84
+ (match) => match[1]?.trim() ?? "",
85
+ );
86
+ }
87
+
88
+ function repositoryRelativeTarget(rawTarget) {
89
+ if (
90
+ !rawTarget ||
91
+ rawTarget.startsWith("#") ||
92
+ /^[a-z][a-z0-9+.-]*:/i.test(rawTarget)
93
+ ) {
94
+ return undefined;
95
+ }
96
+ const withoutTitle = rawTarget.startsWith("<")
97
+ ? rawTarget.slice(1, rawTarget.indexOf(">"))
98
+ : (rawTarget.split(/\s+["']/)[0] ?? rawTarget);
99
+ const target = decodeURIComponent(withoutTitle.split("#", 1)[0] ?? "");
100
+ if (!target || target === ".." || target.startsWith("../")) {
101
+ throw new Error(`README link escapes the package root: ${rawTarget}`);
102
+ }
103
+ return target;
104
+ }